US12452219B2ActiveUtilityA1

Network device with datagram transport layer security selective software offload

80
Assignee: MELLANOX TECHNOLOGIES LTDPriority: Jun 1, 2023Filed: Apr 4, 2024Granted: Oct 21, 2025
Est. expiryJun 1, 2043(~16.9 yrs left)· nominal 20-yr term from priority
H04L 63/166H04L 63/0485H04L 63/0428
80
PatentIndex Score
1
Cited by
157
References
25
Claims

Abstract

In one embodiment, a system includes a networking device including a network interface to receive network packets having headers including datagram transport layer security (DTLS) headers from a remote device over a packet data network, packet processing circuitry to identify first packets of the received packets for DTLS processing in the packet processing circuitry, identify second packets of the received packets to bypass DTLS processing in the packet processing circuitry and to be provided to software to perform DTLS processing on the second packets, and perform DTLS processing on the first packets, and a host interface to provide the DTLS processed first packets to the software, and provide the second packets to the software to perform DTLS processing on the second packets.

Claims

exact text as granted — not AI-modified
What is claimed is: 
     
       1. A system, comprising a networking device, including:
 a network interface to receive network packets having headers including datagram transport layer security (DTLS) headers from a remote device over a packet data network; 
 packet processing circuitry to:
 identify first packets of the received packets for DTLS processing in the packet processing circuitry; 
 identify second packets of the received packets to bypass DTLS processing in the packet processing circuitry and to be provided to software to perform DTLS processing on the second packets; and 
 perform DTLS processing on the first packets; and 
 
 a host interface to:
 provide the DTLS processed first packets to the software; and 
 provide the second packets to the software to perform DTLS processing on the second packets. 
 
 
     
     
       2. The system according to  claim 1 , wherein the packet processing circuitry comprises DTLS processing circuitry to:
 find at least one decryption key based on source and destination data of at least one DTLS header of the first packets; 
 decrypt and authenticate the first packets based on the at least one decryption key; and 
 perform replay protection checks based on DTLS sequence numbers of the first packets. 
 
     
     
       3. The system according to  claim 1 , further comprising a host device including a processor to execute the software to:
 receive the second packets; and 
 perform DTLS processing on the second packets. 
 
     
     
       4. The system according to  claim 3 , wherein the software is to:
 find at least one decryption key based on source and destination data of at least one DTLS header of the second packets; 
 decrypt and authenticate the second packets based on the at least one decryption key; and 
 perform replay protection checks based on DTLS sequence numbers of the second packets. 
 
     
     
       5. The system according to  claim 1 , wherein the packet processing circuitry is to generate completion queue elements (CQEs) for the second packets indicating that the packets are being offloaded to the software to perform DTLS processing on the second packets. 
     
     
       6. The system according to  claim 1 , wherein the packet processing circuitry comprises DTLS processing circuitry, wherein the packet processing circuitry is to indicate to the DTLS processing circuitry that the second packets are to bypass DTLS processing in the DTLS processing circuitry. 
     
     
       7. The system according to  claim 1 , wherein the packet processing circuitry is to:
 identify the first packets for DTLS processing in the packet processing circuitry based on the first packets belonging to at least one first network flow; and 
 identify the second packets to bypass DTLS processing in the packet processing circuitry and to be provided to the software to perform DTLS processing on the second packets based on the second packets belonging to at least one second network flow. 
 
     
     
       8. The system according to  claim 1 , wherein the packet processing circuitry is to:
 identify the first packets for DTLS processing in the packet processing circuitry based on the first packets supported by a first version of DTLS; and 
 identify the second packets to bypass DTLS processing in the packet processing circuitry and to be provided to the software to perform DTLS processing on the second packets based on the second packets being supported by a second version of DTLS, different from the first version of DTLS. 
 
     
     
       9. The system according to  claim 1 , wherein the first packets and the second packets belong to a same network flow. 
     
     
       10. The system according to  claim 9 , wherein the packet processing circuitry is configured to identify the first packets and the second packets based on header field content type of the first packet and the second packets. 
     
     
       11. The system according to  claim 9 , wherein the second packets are handshake packets. 
     
     
       12. The system according to  claim 9 , wherein:
 the second packets bypassing DTLS processing in the packet processing circuitry are packets encrypted by cryptographic material of a new cryptographic key epoch and processed by the packet processing circuitry prior to the cryptographic material of the new cryptographic key epoch being offloaded by the software to the networking device; and 
 the first packets identified for DTLS processing in the packet processing circuitry are packets encrypted by the cryptographic material of the new cryptographic key epoch and processed by the packet processing circuitry after the cryptographic material of the new cryptographic key epoch has been offloaded by the software to the networking device. 
 
     
     
       13. The system according to  claim 12 , wherein the packet processing circuitry is to compare epoch fields in the DTLS headers of the packets against at least one valid epoch installed in the networking device to identify the second packets to bypass the DTLS processing and the first packets for DTLS processing in the packet processing circuitry. 
     
     
       14. A method, comprising:
 receiving network packets having headers including datagram transport layer security (DTLS) headers from a remote device over a packet data network; 
 identifying first packets of the received packets for DTLS processing in packet processing circuitry; 
 identifying second packets of the received packets to bypass DTLS processing in the packet processing circuitry and to be provided to software to perform DTLS processing on the second packets; 
 performing DTLS processing on the first packets by the packet processing circuitry; 
 providing the DTLS processed first packets to the software; and 
 providing the second packets to the software to perform DTLS processing on the second packets. 
 
     
     
       15. The method according to  claim 14 , wherein the performing the DTLS processing on the first packets comprises:
 finding at least one decryption key based on source and destination data of at least one DTLS header of the first packets; 
 decrypting and authenticating the first packets based on the at least one decryption key; and 
 performing replay protection checks based on DTLS sequence numbers of the first packets. 
 
     
     
       16. The method according to  claim 14 , further comprising performing DTLS processing by the software including:
 finding at least one decryption key based on source and destination data of at least one DTLS header of the second packets; 
 decrypting and authenticate the second packets based on the at least one decryption key; and 
 performing replay protection checks based on DTLS sequence numbers of the second packets. 
 
     
     
       17. The method according to  claim 14 , further comprising generating completion queue elements (CQEs) for the second packets indicating that the packets are being offloaded to the software to perform DTLS processing on the second packets. 
     
     
       18. The method according to  claim 14 , further comprising indicating to DTLS processing circuitry that the second packets are to bypass DTLS processing in the DTLS processing circuitry. 
     
     
       19. The method according to  claim 14 , further comprising:
 identifying the first packets for DTLS processing in the packet processing circuitry based on the first packets belonging to at least one first network flow; and 
 identifying the second packets to bypass DTLS processing in the packet processing circuitry and to be provided to the software to perform DTLS processing on the second packets based on the second packets belonging to at least one second network flow. 
 
     
     
       20. The method according to  claim 14 , further comprising:
 identifying the first packets for DTLS processing in the packet processing circuitry based on the first packets supported by a first version of DTLS; and 
 identifying the second packets to bypass DTLS processing in the packet processing circuitry and to be provided to the software to perform DTLS processing on the second packets based on the second packets being supported by a second version of DTLS, different from the first version of DTLS. 
 
     
     
       21. The method according to  claim 14 , wherein the first packets and the second packets belong to a same network flow. 
     
     
       22. The method according to  claim 21 , further comprising identifying the first packets and the second packets based on header field content type of the first packet and the second packets. 
     
     
       23. The method according to  claim 21 , wherein the second packets are handshake packets. 
     
     
       24. The method according to  claim 21 , wherein:
 the second packets bypassing DTLS processing in the packet processing circuitry are packets encrypted by cryptographic material of a new cryptographic key epoch and processed by the packet processing circuitry prior to the cryptographic material of the new cryptographic key epoch being offloaded by the software to the networking device; and 
 the first packets identified for DTLS processing in the packet processing circuitry are packets encrypted by the cryptographic material of the new cryptographic key epoch and processed by the packet processing circuitry after the cryptographic material of the new cryptographic key epoch has been offloaded by the software to the networking device. 
 
     
     
       25. The method according to  claim 24 , further comprising comparing epoch fields in the DTLS headers of the packets against at least one valid epoch installed in the networking device to identify the second packets to bypass the DTLS processing and the first packets for DTLS processing in the packet processing circuitry.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.